Re: sniffer detection on switched based networks

From: Rob McMillen (
Date: 02/06/03

  • Next message: Brett Harris: "Re: sniffer detection on switched based networks"
    Date: Wed, 5 Feb 2003 18:13:13 -0500 (EST)
    From: Rob McMillen <>
    To: Sangram <>

    Take a look at snort's arpspoof preprocessor plugin.

    On Wed, 5 Feb 2003, Sangram wrote:

    > Hi,
    > As we know sniffing on swithch based networks is not easy (ignoring the
    > monitor port of the switch). Usually a arp spoof, DNS spoof or other such
    > attacks have to be launched. There are tools like Dsniff which can
    > accomplish this task quite easily.
    > Now what I would like to know is there any method / tool or snort ids rule
    > set which can detect such sniffers on systems esp on switch based networks.
    > And here I am talking of large corporate ethernet networks. The
    > considerations are that I dont want to over load the network by probing each
    > w/s indivisually. And if the process is automated it would be all the more
    > better.
    > Regards
    > Sangram Gayal
    > Associate Consultant
    > Enterprise Security Consulting Group
    > Mahindra - British Telecom Ltd.
    > *********************************************************
    > Disclaimer
    > This message (including any attachments) contains
    > confidential information intended for a specific
    > individual and purpose, and is protected by law.
    > If you are not the intended recipient, you should
    > delete this message and are hereby notified that
    > any disclosure, copying, or distribution of this
    > message, or the taking of any action based on it,
    > is strictly prohibited.
    > *********************************************************
    > Visit us at